Processing password policy codes in pass-through authentication
You can configure IBM® Security Directory Server to process the password policy failure reason codes from pass-through directories and send normalized error codes to the client applications. Use this feature so that the client application can identify the reason for the failure and take the required action to resolve the error.
About this task
Processing of password policy codes is supported only when Active Directory or IBM Security Directory Server is the pass-through authentication server. Errors from any other directories are not processed.
If you do not
configure password policy processing or if you are using any directories
that are not supported for pass-through authentication password policy
code processing, IBM Security
Directory Server returns the generic LDAP error code LDAP_INVALID_CREDENTIALS
to
the client. It does not show the exact reason for failure for client
applications to take further actions. For example, if the resolution
for the error requires that the password be reset, client applications
can redirect the user to a password reset page. Such actions cannot
be taken unless IBM Security
Directory Server processes the reason code from the pass-through directory.
Procedure
Results
Based on the type of directory that you specify, IBM Security Directory Server parses and processes the login error response from the pass-through directory. It then maps the failure reason codes to the appropriate control error codes of IBM Security Directory Server, as shown in the following table.
Active Directory data codes | IBM Security Directory Server control error codes |
---|---|
525 (User not found) | None (Only LDAP error will be sent, no response control) |
52e (Invalid credentials) | None (Only LDAP error will be sent, no response control) |
530 (Not permitted to logon at this time) | 13 (LDAP_NOT_PERMITTED – new error code) |
531 (Not permitted to logon at this workstation) | 13 (LDAP_NOT_PERMITTED – new error code) |
532 (Password expired) | 3 (LDAP_PASSWORD_EXPIRED) – Error, Password has expired |
533 (Account disabled) | 4 (LDAP_ACCOUNT_LOCKED) – Error, Account is locked |
534 (The user has not been granted the requested logon type at this machine) | 4 (LDAP_ACCOUNT_LOCKED) – Error, Account is locked |
701 (Account expired) | 14 (LDAP_ACCOUNT_EXPIRED – new error code) |
773 (User must reset password) | 5 (LDAP_CHANGE_AFTER_RESET) – Error, Password must be changed after reset |
775 (User account locked) | 4 (LDAP_ACCOUNT_LOCKED) – Error, Account is locked |